CVSS 7.5 CVE-2021-33500

CVSS 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

PuTTY before 0.75 on Windows allows remote servers to cause a denial of service (Windows GUI hang) by telling the PuTTY window to change its title repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls.

NOTE: the same attack methodology may affect some OS-level GUIs on Linux or other platforms for similar reasons.

OSC Escape Sequences and Terminal Title Changes

Terminal emulators support a class of escape sequences called OSC (Operating System Command) codes. These allow the running process (a remote shell, application, or SSH server) to send commands to the terminal emulator itself — outside the normal text output. The sequences are invisible to the user and processed by the terminal.

The OSC sequence for changing the terminal window title is:

\033]0;<title>\007

Broken down:

  • \033] — ESC followed by ]: begins an OSC sequence

  • 0 — parameter: sets both the icon name and window title

  • ; — separator between parameter and value

  • <title> — the new title string

  • \007 — BEL (0x07): terminates the OSC sequence

This is a standard feature supported by virtually all terminal emulators. When a server sends this sequence, the terminal calls the operating system to update the window title.

The Windows API Function: SetWindowText

On Windows, PuTTY implements title changes by calling the Windows API function SetWindowTextA or SetWindowTextW (depending on encoding). This function:

  1. Sends a WM_SETTEXT message to the window

  2. Updates the window’s title bar text

  3. Triggers a window repaint

The Windows GUI message pump processes WM_SETTEXT messages synchronously in the main GUI thread. Each call blocks until the window manager has processed the update and completed the repaint.

The Vulnerability

PuTTY’s main SSH reading loop processes incoming data (including OSC escape sequences) in the same thread as the GUI message pump. When a server sends title-change sequences faster than the GUI thread can process them:

  1. Incoming SSH data is queued as network I/O

  2. Each OSC title sequence calls SetWindowTextA/W

  3. Each call blocks waiting for the GUI repaint to complete

  4. New data continues arriving from the network, adding more OSC sequences

  5. The GUI thread is permanently occupied processing title changes

  6. The window stops responding to user input — it is hung

The hang persists as long as the server sends new title-change sequences. Since the attack requires no authentication beyond the initial SSH session setup, a malicious server can trigger this immediately after the user connects.

Generating the Attack

Any shell command that continuously outputs OSC title sequences at high speed will trigger the hang. On the server side (or injected via SSH-MITM):

PS1=''
while :
do
    echo -ne "\033]0;NEW_TITLE${RANDOM}\007"
done

The ${RANDOM} variable ensures each title is different — some implementations optimize away repeated identical titles, so varying the title keeps the calls going.

The PS1='' disables the shell prompt (otherwise the prompt itself would interleave with the output). In a MitM scenario, this can be injected directly into the SSH channel data stream.

Mitigation

Update PuTTY to version >= 0.75. The fix rate-limits title changes so that the GUI thread is not overwhelmed regardless of how fast the server sends OSC sequences.

References